Active Directory/LDAP troubleshooting

Hi folks, I’m having some issues with my Grafana Active Directory setup. I’ve tried quite a lot of troubleshooting and haven’t managed to make any progress. I am using Active Directory services on Windows Server 2019 and my AD setup looks like so:

image

I have a user called GrafanaAdmin with sAMAccountName GrafanaAdmin who is assigned an AD Administrator role.

ldap.toml

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "10.0.0.4"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "SWORD\\%s"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
#bind_password = ''

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(sAMAccountName=%s)"

# An array of base dns to search through
search_base_dns = ["DC=Sword,DC=GrafanaTest"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email =  "mail"

When logged in to the Grafana LDAP tester I always receive the No user was found in the LDAP server(s) with that username error. The logs show

t=2022-05-19T10:20:55+0000 lvl=dbug msg="LDAP SearchRequest" logger=ldap searchRequest="&{BaseDN:DC=Sword,DC=GrafanaTest Scope:2 DerefAliases:0 SizeLimit:0 TimeLimit:0 TypesOnly:false Filter:(|(sAMAccountName=GrafanaAdmin)) Attributes:[sAMAccountName sn mail givenName memberOf] Controls:[]}\n"
t=2022-05-19T10:20:55+0000 lvl=eror msg="No user was found in the LDAP server(s) with that username" logger=context userId=2 orgId=1 uname=GrafanaAdmin error="LDAP Result Code 1 \"Operations Error\": 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563" remote_addr=127.0.0.1
t=2022-05-19T10:20:55+0000 lvl=info msg="Request Completed" logger=context userId=2 orgId=1 uname=GrafanaAdmin method=GET path=/api/admin/ldap/GrafanaAdmin status=404 remote_addr=127.0.0.1 time_ms=6 size=72 referer=http://grafana.staged-by-discourse.com/admin/ldap

When manually querying AD with dsquery and ADSISearcher I am able to find the user with the exact same filter e.g.

PS C:\Users\dillan.mann> dsquery * -filter "(|(sAMAccountName=GrafanaAdmin))"
"CN=GrafanaAdmin,CN=Users,DC=Sword,DC=GrafanaTest"
PS C:\Users\dillan.mann> dsquery * -filter "(|(sAMAccountName=GrafanaAdmin))" -attr sAMAccountName cn
  sAMAccountName    cn
  GrafanaAdmin      GrafanaAdmin
PS C:\Users\dillan.mann> $adsiSearcher = [adsisearcher]'(|(sAMAccountName=GrafanaAdmin))'
PS C:\Users\dillan.mann> $adsiSearcher.searchroot = 'LDAP://DC=Sword,DC=GrafanaTest'
PS C:\Users\dillan.mann> $searcherResults = $adsiSearcher.findall()
PS C:\Users\dillan.mann> $searcherResults

Path                                                    Properties
----                                                    ----------
LDAP://CN=GrafanaAdmin,CN=Users,DC=Sword,DC=GrafanaTest {givenname, codepage, objectcategory, dscorepropagationdata...}

Any help troubleshooting this issue would be much appreciated, thanks!

My AD reader user had not had a password set correctly. Setting the password in AD and then setting that password in the config fixed the issue.